Cast your minds back to the beginning of 2018, the General Data Protection Regulation (GDPR) was on the horizon. Depending on your point of view, it promised to give citizens back control over their data or herald the end of some types of businesses focused on dubious uses of personal data.
“The new legislation will give individuals greater rights over their personal data online and hold businesses accountable for managing and securing data properly.”
Twelve months on, I welcome the opportunity to share my experiences of the reality I have experienced both personally and professionally as a Data Protection Officer, privacy advocate, and data subject.
Email marketing was the first significant change in behaviour that hit most of our email inboxes in the buildup to 25th May 2018.
“Please consent or we can never talk to you again” was a regular phrase cropping up in my inbox pre GDPR.
I remember it took little over a week for one of these organisations to get in touch with me without my consent.
So, has email marketing died? No.
In my view, it has now become less obstructive and more relevant as organisations evolve their thinking on the practical application consent and legitimate interests as a lawful basis for processing. A big win for the consumer and companies alike.
The tsunami of rights requests and privacy complaints
While there is no doubt that the increased individual rights provided by the GDPR have been widely exercised, the predicted tsunami of complaints has thus far failed to materialise.
Have they increased? Yes.
The Financial Times reported in July 2018 that organisations were coming under strain to respond to requests from individuals, a fact regularly discussed amongst DPOs.
Generally, organisations tend to process the largest volume of personal data in relation to their employees rather than customers or clients. With that in mind, it’s no surprise that a significant number of requests to access personal data are made by an employee to his or her employer due to grievances.
Recent UK Court of Appeal decisions in Ittihadieh v Cheyne Gardens RTM Company Ltd have served to confirm that a collateral purpose such as litigation does not defeat a Subject Access Request.
Evidence of complaints from individuals abound with the European Data Protection Board (EDPB) reporting 95,180 complaints from citizens in Europe during the first eight months of GDPR.
Individuals and their rights
To exacerbate this increase in complaints, individuals may be ill-informed or ill-advised believing they have greater rights than in practice.
Consider the right of access; individuals incorrectly believe they have a right of access to documents when in fact GDPR only provides access to data and not documents.
Consider rectification; requests such as “some of my personal information is inaccurate and I request that this information be rectified” demonstrate individual awareness of rectification, but a lack of understanding.
Erasure is another generally misunderstood right that the request for erasure is absolute, when in fact it is only applicable in certain circumstances.
Such misunderstandings on the part of the individual can lead to frustration when requests are refused or data disclosures heavily redacted.
The GDPR landscape
My anecdotal evidence points to a significant number of organisations that have yet to grasp that the intent of the GDPR is about the individual, not the organisation.
As a data subject, I have had erasure requests actioned and completed within 7 days. A phenomenal response to a request.
Unfortunately, I have also experienced organisations trying to force me to follow their specific forms and processes and taking many months to respond to access requests, demonstrating the divergence of organisational approaches.
The Information Commissioner’s Office (ICO) has recently reported at its Data Practitioners’ Conference that it has received over 41,000 complaints since GDPR came into force, a 98% increase over the previous year. The ICO further commented that this level of complaints is not sustainable and that organisations need to manage complaints through an internal process.
The avalanche of Data Breach reports
In common with the majority of European Data Protection Authorities (DPAs), the ICO has warned of over reporting of data breaches.
In practice, the threshold for the notification of a breach to the DPA is clearly defined and the obligation to communicate to data subjects only occurs where there is a likelihood of high risk to the individual. The ICO provided data relating to data breaches through a Freedom of Information request where it laid bare the struggle organisations have in terms of notifying the ICO of a breach.
On average, pre-GDPR, organisations waited three weeks before notifying the ICO, a situation that will have to change significantly to meet the new 72-hour timeframe.
The Brexit Bomb
Who would have thought a year ago that we would still be considering the impacts the various flavors of Brexit may have on personal data and primarily transfers in and out of the UK?
The UK Government has confirmed that transfers from the UK to the EEA and the US will remain unaffected (due to its adoption of adequacy for the EEA and support for Privacy Shield), but for post-Brexit transfers from Europe into the UK, there is much less certainty.
Some UK organisations are still asking if GDPR will apply post Brexit. Yes! It will.
In the event of a no deal Brexit or beyond a transition period, the EU (Withdrawal) Act 2018 once enacted, in tandem with the Data Protection Act 2018, will retain the current status quo in data protection legislation.
The GDPR penalty shoot out
At the time of writing, the ICO has yet to lodge any fines under the GDPR regime. Whilst other EEA jurisdictions have been seen to take action – most notably the French DPA (CNIL) in its €50 million action against Google (currently subject to appeal) – fines generally remain lukewarm with nothing approaching the eye watering, predicted levels.
One potential reason for the slower than expected onslaught of monetary penalties may be the new consistency mechanism applicable to cross border cases. The European Data Protection Board (EDPB) reported over 100 cross-border cases in the first few weeks of the operation of the GDPR.
I envisage that the penalty regime will kick in some time soon. It will also provide a welcome wake up call to organisations who naively believe GDPR was similar to the Y2K phenomenon.
Class Action Attack
The GDPR (Articles 79 and 82) opened the door to judicial remedies for material and non-material damage through the courts, rather than via the DPA. Max Schrems was recently granted leave to take his case against Facebook to the Austrian courts, although his attempts to bring a class action were dismissed.
The much-anticipated transfer of the no-win, no-fee brigade from PPI claims to data breach or mismanagement claims via the courts, have also yet to materialize.
With legal organisations setting themselves up to take advantage of the rights of redress through the courts, the direction of data subjects to file an access request in advance of any action against organisations, is in itself helping to fuel the increase in access rights requests.
Early stages for this new data protection regime
Data protection legislation has been with us in the UK for over 30 years and in other jurisdictions for nearly 50 years.
A year into this new normal for protection of personal data, guidance continues to trickle out from the DPAs, case law remains scarce, and interpretation of the GDPR is not yet consistent.
It’s still early stages in the lifecycle of this new regulatory regime and I’m hopeful in the coming months and years, the shape of GDPR will continue to solidify and the intent of the individual at the heart of the legislation will become the default for the majority of organisations.